Ransomware isn’t the only cause to blame for cyber breaches and cloud data loss

By Matt Kingswood, Head of IT Specialists (ITS) UK.

  • 8 years ago Posted in
Ransomware might be the trending topic in cybersecurity news, but it’s not the only cyber threat you should be looking at. There’s another culprit that tends to slip under the radar: people like you and me. People are responsible for making errors such as accessing an insecure web page, downloading infected software or clicking a phishing link in an email. In fact, of all the data breaches reported in the UK during Q1 2016, ICO data reveals that 62 per cent were caused by human error.
 
These incidents involving human error are putting businesses at a greater risk of data loss. In fact, 11 per cent of UK-based IT managers whose companies had experienced a ransomware attack or other breach said they had experienced data loss as a result. This percentage might seem insignificant – until you consider the fact that, according to research by the University of Portsmouth, fraud and human error are costing UK organisations ?98.6 billion a year. Unfortunately, that number is even larger, as it doesn’t include undiscovered or unreported instances.
 
While some might think that storing data in the cloud keeps it from being vulnerable to ransomware, they’re wrong. Ransomware can encrypt files on hardware and cloud services alike. And, of course, data in the cloud is always susceptible to human error.
 
So how do you protect your data from people who press the delete key when they shouldn’t or unknowingly introduce malware to your network? To start, follow the below steps.
 
Back up data
 
If despite your best efforts, an employee or vendor deletes your data, you can restore the files and prevent a significant impact on business operations if you have current backups. If your systems are taken hostage by ransomware, rather than paying the ransom (which is never recommended, as it only encourages hackers), data backups are the key to being able to regain access to your files.
If a vendor will be handling sensitive data in the cloud, first ensure that the files remain encrypted in transit and at rest. Also verify that the vendor offers service level agreements (SLAs) that provide adequate recourse in the unfortunate event that data is lost.
 
While the vendor’s terms of service may meet your needs, they can often change without your being aware. One man, a distinguished lecturer for a content network, found himself in this unfortunate scenario when he one day discovered that his cloud vendor had intentionally deleted more than five years of archives for 15 retired machines. Only after lengthy back-and-forth discussions with the vendor’s tech support did he discover that the corporation’s retention policy had changed. Fortunately, the backups were eventually restored, but without his persistence, they could have been permanently lost.
 
Whereas a vendor can change its terms of service without notice, they can’t change the terms of an agreement you’ve signed without your being aware of it. When reviewing an SLA, ensure that the vendor can restore your data within your recovery time objectives (RTOs). For example, Lukas Hospital in Neuss, Germany, had complete backups of all systems in place, but when it was plagued with TeslaCrypt 2.0 ransomware, the hospital estimated that it would take up to 48 hours before its IT environment was fully functional again. As a result, 20 per cent of the hospital’s surgeries had to be rescheduled, and less critical care had to be temporarily shifted to other hospitals.
 
Backups are the key to protecting yourself from data loss, but backup services provided by a vendor must be backed by SLAs and they must meet your RTOs.
 
Beware of shadow IT
 
As if the risk posed by human error and ransomware alone weren’t enough to keep businesses on their toes, shadow IT only aggravates the threat. Research from Cisco reveals that CIOs estimate that their organisation has 51 public cloud applications in use, but the actual number is more like 730. If your employees are uploading restricted data to an unauthorised cloud application – such as Google Drive, Dropbox and Evernote – without proper encryption, this increases your security risk.
 
Another one of the most prevalent threats to data loss on the cloud is the use of software as a service (SaaS). A recent study found that almost 80 per cent of respondents had lost data in their organisations’ SaaS deployments. The top causes were accidental deletion (41 per cent), migration errors (31 per cent) and accidental overwrites (26 per cent).
 
If your organisation is unaware that employees are even using certain cloud applications, this introduces an unnecessary risk. Creating a strong security culture (this will be addressed more below) in which the IT department strives to address security issues while acting as a trusted adviser will encourage users to enlist IT’s help in selecting and implementing cloud solutions.
 
Educate employees about security best practices
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
The majority of incidents attributable to human error are associated with sheer carelessness or lack of knowledge about how to properly handle data. In the ICO data mentioned above, a large portion of the incidents linked to human error included security gaffes such as posting, emailing or faxing data to the wrong recipient. Worse, an unsettling number of employees are falling victim to phishing attempts. According to research from Verizon, people opened 30 per cent of phishing messages – that’s 7 per cent greater than last year – and of those, 13 per cent also opened the attachment, giving malware a clear path to the network.  
 
To protect against threats, employees need to be educated on:
  • How to prevent unauthorised access to data. In addition to verifying that they’re sending data to the appropriate recipient, they should consider who else might be able to view the information. When data is uploaded to the cloud or placed in a shared folder on a local area network, the files must be encrypted to deter unauthorised access to the data.
  • How to identify phishing emails. Educate employees on how to view emails with a critical eye. Warning signs include poor design, incorrect spelling and grammar, requests for personal details, suspicious attachments and URLs that don’t match the company’s primary domain (to view a URL without clicking a link, users can hover over the link with their cursor).
  • How to respond to a suspected ransomware attack. If employees encounter any suspicious activity, instruct them to notify IT as soon as it’s detected. If a device is affected by ransomware, employees should know to stop working on the affected device immediately.
  • Why it’s important to apply security patches. With new security threats continually surfacing, hardware and software developers are creating security patches that secure the application or device. Instruct employees to apply these updates promptly to ensure the company’s data and network are protected.
  • How to create secure logins. Employees need to create complex passwords that involve special characters, numbers and a mix of lower- and uppercase letters. Whenever possible, use two-factor authentication to increase security.
 
Having employees who are educated in security best practices reduces the chance of unauthorised access to data as well as ransomware taking your data hostage.
 
Create clear security policies and enforce them
 
Your best defence against security breaches and data loss is creating a culture of security that begins from the top down and is supported by clear, enforceable policies.
 
When creating a data handling policy, start with classifying data according to how sensitive it is. Personally identifiable details and health information, for example, should only be accessible to those whose job duties require that information. Clear consequences should be set in place for employees who access or use data outside of their job duties.
 
Additionally, you need to put parameters on how users access data. Employees who have access to company files, databases and applications whenever they want using any device is one of the main threats to company data. Although most UK businesses (95 per cent, according to a BT study) permit bring-your-own-device (BYOD) practices, these practices lack security. BT’s research shows 41 per cent of organisations have suffered a mobile security breach over the last year, 33 per cent grant users unbridled access to the internal network, and 15 per cent lack confidence that they have the resources to prevent a breach.
 
Your BYOD policy should address issues such as data security, remote management, data transfer, backups, data wipe and technical support (office or field based). If you work with a managed services provider for your IT support, ensure that the vendor can assist with developing and supporting your BYOD program.
 
Although it’s crucial to be aware of cybercriminals who are targeting businesses with increasingly sophisticated attacks, you can’t afford to ignore the threats within the walls of your organisation. Ultimately, you will reduce your risk of cyber threats and minimise data loss by holding cloud vendors accountable through SLAs, reigning in shadow IT, educating employees and creating a culture of security.
By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.